Win.Trojan.Bifrose-18718 — Office (OLE) / .DO malware analysis

Static analysis result for SHA-256 17cc7b76df5d9bbc…

MALICIOUS

Office (OLE) / .DO

467.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: ab366018281fc25f7f99e8c2a69b7aed SHA-1: ff3b7bab856eba88e42aeacd65c2eadf38931a67 SHA-256: 17cc7b76df5d9bbcd4c8630be2966e7933fb02faf028ed7fe783b26ba93a8923
420 Risk Score

Malware Insights

Win.Trojan.Bifrose-18718 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document identified as Win.Trojan.Bifrose-18718 by ClamAV. It exploits CVE-2008-2244, a vulnerability in Microsoft Word's record-parsing, to embed and execute a Portable Executable (PE) file. The heuristics indicate the presence of APIs like VirtualAlloc, LoadLibrary, and GetProcAddress, commonly used by malware to load and execute payloads. The large slack space and appended payload further suggest the presence of hidden malicious content.

Heuristics 9

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Bifrose-18718 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Bifrose-18718
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 478,673 bytes but its declared streams total only 21,151 bytes — 457,522 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00011618.exe
96ee737c2ee9757bd13f557e415476bc9c9eacf7d145e9a34df0f848c7a5de6f		 embedded-pe Office MZ+PE at offset 0x11618 407481 bytes
Detection
ClamAV: Win.Trojan.Bifrose-18718
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.